Security professionals are concerned that a program used by hackers to exploit a flaw in Microsoft IIS webserver has not been made public. They fear that the hackers are keeping the tool secret in a bid to launch further damaging IIS attacks.

The latest in a long line of vulnerabilities in IIS was discovered last week, when it was revealed that a remote buffer overflow in all versions of IIS Internet Services API could be exploited to give an attacker complete control of a system.

But the security community is worried that hackers may be hanging on to the tool used for exploiting this hole, rather than releasing it for analysis so that a patch can be developed.

Typically, when a hole is discovered, a tool capable of exploiting the glitch appears within 48 hours, encouraging administrators to patch their systems quickly.

But so far, no such tool has appeared to push administrators into gear, although rumour has it that hackers are in possession of such a program, potentially leaving the six million users of IIS at risk.

Security firm @stake warned that administrators are less likely to react to an advisory if there is no exploit tool available.

Hackers thrive on a lack of awareness in security and, by keeping the exploit tool underground, network administrators could be lulled into a false sense of security.